cmmc-pe-4 Medium priority Physical Protection / Physical Access

Control and manage physical access devices

Physical access devices such as keys, key cards, access badges, PINs, and combinations are the credentials that grant physical access to secured areas. Like digital credentials, they must be managed: issued only to authorized individuals, tracked, and revoked when no longer needed. Lost or unrevoked access devices create the same risk as a live user account for a terminated employee.

4h estimated effort

physical-security facilities access-control

Implementation steps

1

Maintain an inventory of physical access devices

Track all issued physical access devices: who has each key or badge, which doors or areas it grants access to, and when it was issued. For electronic access control systems, this inventory is typically maintained in the system software. For physical keys, maintain a key log.

lenel genetec excel
2

Establish a formal issuance and return process

Require a formal request and approval process before issuing access devices. Collect access devices on the last day of employment during the offboarding process. When an employee changes roles and no longer needs access to a location, collect and deactivate that access. Document all issuances and returns.

servicenow excel
3

Respond to lost or stolen access devices

Establish a procedure for employees to report lost or stolen access devices immediately. Upon report, deactivate the device within hours (not days) and change physical locks or codes if the device was a key or combination. Issue a replacement through the formal request process after investigating the loss.

lenel genetec
4

Periodically audit access device inventory

Periodically reconcile the access device inventory against the current authorized personnel list. Identify and deactivate any devices assigned to former employees or individuals who no longer need access. Verify that the number of issued devices matches your records.

lenel genetec